Summary of Tools for Java Platform Security

Last Modified: 28 July, 2006

Below is a summary of the following security tools, with links
to the more detailed documentation: keytool,
jar, jarsigner,
Policy Tool, kinit,
klist, and ktab. All of
these tools are command-line tools with the exception of Policy
Tool, which has a graphical user interface.

import certificate replies (obtained from the Certification
Authority you contacted)

designate public keys belonging to other parties as
trusted

copy entries between two keystores

Keys and certificates are used to digitally sign your
applications and applets (see jarsigner below). A
keystore is a protected database that holds keys and
certificates for an enterprise. Access to a keystore is guarded by
a password (defined at the time the keystore is created, by the
person who creates the keystore, and changeable only when providing
the current password). In addition, each private key in a keystore
can be guarded by its own password.

The Java ARchive (JAR) file format enables you to bundle
multiple files into a single archive file. Typically a JAR file
will contain the class files and auxiliary resources associated
with applets and applications. When you want to "digitally sign"
code, you use the jar tool to place it in a JAR file and the
jarsigner tool to sign the JAR file (after generating or
importing appropriate keys into your keystore using
keytool).

Use the jarsigner tool to sign JAR files, or to verify
signatures on signed JAR files.

The jarsigner tool accesses a keystore that is created
and managed by keytool, when it needs to find the private
key and its associated certificate chain to use when signing a JAR
file. Since accesses to the keystore and to private keys are
protected by passwords, only people who know the passwords will be
able to access the key and use it to sign a JAR file. The
jarsigner tool prompts for needed passwords.

kinit is used to obtain and cache Kerberos ticket-granting
tickets. This tool is similar in functionality to the kinit tool
commonly found in other Kerberos implementations, such as SEAM and
MIT Reference implementations.

The user must be registered as a principal with the Key
Distribution Center (KDC) prior to running kinit.

Solaris - Equivalent functionality is available for
Solaris users via the kinit tool that is part of the Solaris
operating environment.

Linux - Equivalent functionality is available for Linux
users via the kinit tool in any Kerberos 5 installation.

ktab is a command-line tool that allows the user to manage the
principal names and service keys stored in a local key table.
Principal and key pairs listed in the keytab allow services running
on a host to authenticate themselves to the Key Distribution Center
(KDC). Before a server can be setup to use Kerberos, the user must
setup a keytab on the host running the server. Note that any
updates made to the keytab using ktab do not affect the Kerberos
database. If you change the keys in the keytab, you must also make
the corresponding changes to the Kerberos database. Also note that
the command line options are not case-sensitive.

Solaris - Equivalent functionality is available for
Solaris users via the ktutil or kadmin tool that is part of Solaris
operating environment.

Linux - Equivalent functionality is available for Linux
users via the ktutil or kadmin tool in any Kerberos 5
installation.

Examples of Use of the Tools

Examples of the use of several of these security tools can be found
in the Security
trail of the Java
Tutorials.